Method and system to remediate a security issue

This application claims priority to European Patent Application Number EP20200388.5, filed Oct. 6, 2020, the specification of which is hereby incorporated herein by reference.

The technical field is security of computing resources such as cloud resources.

Cloud providers such as Google Cloud™, Amazon Web Service™ or Azure™ provide native security solutions developed by them, also called security findings hubs, to help customers gain visibility of cloud resources and their security state in a way to simplify and improve security management of cloud resources. Security findings hubs integrate with detection capabilities that scan a customer environment and detect vulnerabilities and potential security issues such as misconfigurations. Detection capabilities can leverage machine learning, threat intelligence, ingress/egress visibility, and other telemetry. The detected security issues are then reported centrally into the security findings hub, providing a view across the entire customer environment. However, security findings hubs do not presently provide a means to remediate these security issues easily and can be difficult to manage large volumes of findings resulting in unsorted and unprioritized security issues. This can lead to large amount of time between detection and remediation of security issues.

A security orchestration, automation, and response system is a third-party solution covering at least a part of the remediation process, from generating a remediation strategy to applying remediation actions directly to the cloud resource. A security orchestration, automation, and response system can reduce the time between detection and remediation of security issues. However, not all security orchestration, automation, and response system provide direct application programming interface (hereafter called API) integration with security findings hubs.

There is a need to provide a security solution offering remediation of security issues without any input from a user, that can integrate a security orchestration, automation, and response system to the cloud environment.

According to a first aspect of the invention, this need is satisfied by providing a method to remediate a security issue of a computing resource, the method being carried out by a security engine system comprising a transformation module, a main message broker, and a remediation server, the security engine system being configured to communicate with the computing resource and a decision server, the method comprising the following steps:

Thanks to the invention, information related to the security issue are automatically sent to the decision server to get a sequence of remediation actions. Without any input from a user, the remediation actions are applied to the computing resource. This way, a detected security issue is automatically remediated as soon as possible, reducing the delay between the detection and the remediation.

The security event provides an abstraction layer to the description of the security issue, the said abstraction layer providing a universal means to exchange information between the computing resource and the decision server. The decision server does not need to natively support the API of the computing resource. The term universal has to be taken as agreed at the organization level.

The abstraction layer provided by the security event allows to exchange information between the computing resource and the decision server, whether the computing resource is public, private, or hybrid (public/private). This way, remediation process can be extended and is not limited to public computing resources.

Executing remediation scripts not provided by the decision server allows the users to control remediation actions performed on the computing resources. For example, the users can create their own remediation scripts instead of using third-party solutions directly interacting on the cloud resource.

Separating the decision making and the remediation action execution allows for greater flexibility for developing new use cases. It also reduces the technology dependence that further reduces risks of vendor lock.

A decision server may be isolated from the cloud resource to increase security. For example, stakeholders can request a layer of separation between the cloud resource and the decision server. The method of one or more embodiments of the invention provides a way to link the cloud resource to the decision server as it sends the security event to the decision server and receives information from the decision server.

The decision server, isolated from the cloud resource, cannot directly perform operations into the cloud environment (as applying remediation actions). The method applies remediation actions instead of the decision server.

The security engine system between decision server and cloud resource allows to track all security issue detections and remediations. It ensures that the lifecycle of the security events is maintained consistently. It can also ensure that stakeholders can be notified each time an action is taken.

Despite the characteristics recited above, the method according to the first aspect may also have one or more additional characteristics considered individually or by any technically possible combinations thereof.

According to an implementation, the security event is determined from a description of the security issue and associated context information. Context information associated to the security issue provided to the security event offers a better analysis of the security issue to get sequence of remediation actions fitting the remediation needs.

According to another implementation of the method, the sequence of recommended remediation actions is added to the security event.

According to another implementation of the method, the main message broker also receives an investigation result from the decision server based on the security event, the investigation result indicating if the security issue is considered as a true positive or a false positive. Preferentially, remediation scripts are only executed by the remediation server when the investigation result indicates a true positive.

According to another implementation of the method, the security event comprises one or more security marks, at least one security mark corresponding to the state of the said security event, at least one new security mark being added to the plurality of security marks at each steps of the method.

Security mark is taken to mean label or tag.

Security marks help to maintain an auditable lifecycle of the security event.

Findings hubs do not provide advanced reporting that could benefit a security operations team. Therefore, there is a need to provide a solution offering advanced reporting of security state of the cloud resource.

According to another implementation of the method, the security engine system comprises a database, the security event comprises metadata and the method comprises a step of storing the metadata of the security event in the database. Preferably, the method comprises a step of sending at least a part of the metadata of the security events stored in the database to the decision server. The result of the said analysis can be compiled in a report, the report can be sent to stakeholder such as a security operation team.

According to another implementation of the method, the security engine system comprises a notification server and the method comprises a step of sending a notification by electronic messaging using the notification server.

Another aspect of the invention relates to a security engine system to remediate a security issue of a computing resource, the security engine being configured to carry out the previously mentioned method.

Another aspect of the invention relates to a computer program product comprising instructions which, when the program is executed by a computer, causes the computer to carry out the method according to one or more embodiments of the invention.

Another aspect of the invention relates to a computer-readable medium comprising instructions which, when executed by a computer, cause the computer to carry out the method according to one or more embodiments of the invention.

For greater clarity, identical or similar elements are marked by identical reference signs in all the figures.

A first aspect of the invention illustrated inandconcerns a methodto remediate a security issue S of a computing resource CR.

The computing resource CR can be part of a computing platform CP comprising a server or a cloud platform, provided by a cloud provider such as Google Cloud Platform™, Amazon Web Services™ or Microsoft Azure™. The computing resource CR can be a server or a cloud server comprising at least a processor and memory. At least a part of the computing resource CR is accessible by a user USR. In the example of the, the user USR is running a virtual machine VM on a part of the computing resource CR. The virtual machine VM comprises a security issue S, offering a way to undesired software to run on the virtual machine VM, taking advantage of computing resources or sensitive information. Of course, the virtual machine VM may comprise a plurality of security issues S. As an example, the security issue S can be a malicious crypto mining software running on the virtual machine VM of the user USR. The crypto mining software can be detected because of the large amount of processor resources it uses or because of an unusual data stream sent to an untrusted external resource. The crypto mining software is detected by a security findings hub.

The computing resource CR can be public or private. A public computing resource CR is shared between a plurality of users USR. The term user USR can refer to a person or an organization. Computing resources CR can be adjusted to match needs between the users USR or organization. The information of a user USR, or at least the sensitive information of a user USR, is not shared with other users USR. However, if a security issue S occurs, Information may be compromised. A private computing resource CR is dedicated to one user USR or one organization. A hybrid computing resource comprises public and private computing resources.

The security management of the computing resource CR can be done by a dedicated threat management team TMT. However, depending of the size of the organization using the computing resource CR, the threat management team can comprise only one person and, in some cases, the said one person is also the user USR of the computing resource CR. Stakeholders are defined as the threat management team TMT and the user USR.

The methodof one or more embodiments of the invention is intended to remediate the security issue S and can be implement by a security engine system SE comprising a transformation module TRAN, a main message broker MB; and a remediation server RE. The security engine system can communicate with a decision server DC. The decision server DC provides recommended remediation actions to remediate the security issue S.

In order to do so, the method of one or more embodiments of the invention comprises a step of determininga security event from a description of the security issue S. The description of the security issue S is also called a finding. The determinationis performed by the transformation module TRAN. The determinationallows to convert the description of the security issue S in a format processable by the decision server DC.

In an embodiment, the security engine system SE is connected to a findings hub SCC belonging to the computing platform, and the finding received by the transformation module TRAN is sent by the findings hub SCC. The findings hub SCC can be a native security solution provided by the computing providers to manage the security of the computing resource CR. The findings hub SCC can be a third-party security solution installed on the computing platform CP, offering security management features equivalent to one offered by providers of computing resources. Public computing providers usually provide a findings hub SCC, however private computing providers can also provide similar solution. The findings hub SCC can give a detailed overview of the security state of the computing resource CR. The security issue S of the computing resource CR is detected and stored by the findings hub SCC. To do so, the findings hub SCC comprises an anomaly detection service AD, and a security hub HB.

The anomaly detection service AD is configured to scan the computing resource CR and detect the security issues S. The anomaly detection service AD can leverage threat intelligence to detect security issues S, for example, involving multiple machine learning algorithms. The anomaly detection service AD can also monitor telemetry as ingress/egress to the computing resource CR to detect application or resource exhibiting unexpected use of computing resources. The anomaly detection service AD compiles a description of the security issue S also called finding. For example, the anomaly detection service AD can be a Google Cloud Anomaly Detection™ or an Amazon CloudWatch Anomaly Detection™.

The finding can be stored on the security hub HB. The security hub HB is a central element that the thread management team TMT can access to obtain a list of all the findings. The security hub can offer a graphical user interface, such as a dashboard, listing the findings.

In an embodiment, the finding corresponding to the security issue S is directly received by the transformation module TRAN. For example, the security engine system SE is connected to a findings hub SCC belonging to the computing platform CP, and the finding received by the transformation module TRAN is sent directly by the findings hub SCC to the transformation module TRAN

In another embodiment, the security engine system SE comprises a front message broker MB, configured to transfer the findings from the findings hub SCC to the transformation module TRAN. The front message broker MBcan receive the finding, from the findings hub SCC. The front message broker MBcan be replaced by a queuing message server, or a message bus, and the finding are transferred directly to the transformation module TRAN.

In an embodiment, the front message broker MBimplements the publish-subscribe pattern, also called pub-sub. Following the publish-subscribe pattern, a message generated by a sender, also called publisher, is pushed to a message broker on a defined topic. The message broker then sends the message to one or more services subscribed to the said topic, the services being also called subscribers. The publish-subscribe pattern allows to transfer messages from a plurality of publishers to a plurality of subscribers, routing each message to the right subscriber thanks to the message broker topics.

Thanks to the publish-subscribe pattern implemented by the front message broker MB, the security engine system SE can receive findings from a plurality of findings hub SCC, therefore from a plurality of computing platform CP. Thus, the front message broker MBallows the security engine system SE to remediate security issues S on more than one computing resources CR. This way, the security engine system SE can also remediate security issues S from public computing resources, or private computing resources, or from a hybrid configuration mixing public and private computing resources.

The application programming interface (hereafter called API) from the computing resource CR and more specifically from the findings hub SCC can be implemented to send the findings to the front message broker MB. It is preferable that the front message broker MBhas only one topic, this way, all the findings are routed to the single subscriber of the front message broker MB. Preferably, the single subscriber of the front message broker MBis the transformation module TRAN to which all findings are sent.

The determinationof the security event is performed based on said findings. Determining a security event can be defined as converting and/or embedding the received finding. Security event provides an abstraction layer to the findings facilitating the interoperability of the underlying finding. Preferentially, the security event format and the finding format are agreed at organization level so that the security event and the underlying finding can be processed on the decision server DC side. This way, it ensures that the security event will have the same format every time.

The finding may be embedded in the security event in its original form. However, a conversion of the finding can be performed to provide processable information to the decision server DC. The finding can be an organized text to allow an easy parsing and a good interoperability. For example, it can be formatted using the JSON format. An example of a security event in a JSON format can be found below.

In the above example, the security event comprises a finding, security marks, context information and response to remediate the security issue S. It further comprises a plurality of fields, for example the fields “finding type”, “URLs”, “virtual_machine_ip” and “virtual_machine_hostnames” which provide information on the type of security issue S. During a conversion, the finding is parsed to fill in the fields of the security event.

It can also comprise context information associated to the said security issue S. Context information allows to classify and identify the security event to be correctly processed. Context information can also be used to provide more insight to the decision center DC. As shown in the security event example above, context information can comprise details of the resource owner extracted from a user management system, the source of the finding when there is more than one findings hub SCC, or a unique identification number. Details of the resource owner can be obtained thanks to the findings hub SCC. Context information can also comprise organization or business-related information. For example, it can comprise a list of projects threated, or a boolean if sensitive information is compromised.

Context information can provide information covering wider field than just information related to security issues S and the cloud resources CR. It can comprise information on the decision server DC. For example, the security engine system SE can communicate to more than one decision server DC. Context information can be used to select one of the decision servers DC. In another example, the decision server DC can be disconnected from the security engine system SE because of maintenance. Following this example, the security event cannot be sent to the decision server DC for investigation and an electronic message is sent to stakeholders (a threat management team TMT and/or the user USR).

In an embodiment, a security event comprises one or more security marks. The security marks, for example up to ten, can be added, modified, or removed to the security event at each step of the method. At least one security mark can correspond to the state of the security event. Security marks can provide an overview of the lifetime of a security event. For example, a security event can comprise a security mark “status” set to “remediated” if the associated security issue S is already remediated. A security mark “remediation_timestamp” can comprise a timestamp when remediation actions were performed. Security marks can be used in queries, allowing easy filtering and sorting, for example, to provide an overview of the security status of the computing resource CR. Filtering and sorting using security marks can also help to create reports for the threat management team TMT. More examples of security marks are:

The methodcomprises a step of sendingthe security event to the decision server DC to obtain a sequence of recommended remediation actions based on the security event. The security event is sent to the decision server DC by the main message broker MB.